Trusted Execution Environments have been around for a while now and keep evolving. As support for Confidential Computing is a new hardware security mechanism to protect data in-use. It allows processing sensitive workl... More is included in more commodity platform, standardising this approach is becoming increasingly important to accelerate updake. This is part one of a series of blog posts covering standardisation of confidential computing.
What is Confidential Computing?
Some of you already know what Confidential Computing is and are just curious to learn more about standardisation. In this case just jump over to the next section. Otherwise you might be curious what is this all about and also why standardisation is important. You can learn more from our earlier blog post, check out the article in Wikipedia or reach out to us to learn more.
Why standardise confidential computing?
Just as with many (most?) new technologies, there is more than one way to achieve the same objective. On an abstract level, the goal of confidential computing is to protect data in use (among with other ancillary goals). However, even with a 3-word goal there is plenty of room for interpretation. What exactly is data in use? What is a sufficient level of protection? How should legacy applications be supported (or not)? Each technology vendor will answer these questions in their own way and produce a solution that differs from their competitor. Case in point is the variety of solution architectures between AMD SEV-SNP, ARM CCM, Intel SGX and Intel TDX. We compared these architectures in earlier blog posts and research paper. It would be naive to expect that standardising confidential computing will lead all vendors towards the same solution. As Andrew Tannenbaum once said:
“The nice thing about standards is that you have so many to choose from; furthermore, if you do not like any of them, you can just wait for next year’s model.”
Nonetheless, standardisation is a way to align the solutions and make them interoperable, at least to a certain degree and on a certain level. It is a lengthy process that might look like “bikeshedding” to outsiders. On the other hand, it helps bring adoption much closer: enterprises prefer to choose a technology when the dust has settled rather than betting on wildcard solutions.
Where is the standardisation of confidential computing being done?
Figuring out the scope of confidential computing standardisation is easier said then done. To keep things simple, I consider three standardisation bodies: The Internet Engineering Task Force (IETF), European Telecommunication Standards Institution (ETSI) and the Confidential Computing Consortium (CCC). Below I briefly introduce each of these organisations and their activities relevant to the standardisation of confidential computing. Future parts of this blog post series will cover each of them in more detail.
The IETF has defined a large part of the protocols that power the Internet. These protocols enable you to read this blog by reaching the website of CanaryBit and access the post through an encrypted communication channel using a technology called Transport Layer Security. Standardisation of concepts and technologies related to confidential computing is mainly done in two work groups:
- The Remote An Attestation is a validation process performed against μ-processors with Confidential Computing capability. It valida... More ProcedureS (RATS) work group.
- Trusted Execution Environment Platform (TEEP) work group.
Obviously, confidential computing does not exist or work in a vacuum, so many other work groups are related in one way or another. However, they are only tangental to this topic.
ETSI is a member organisation founded in 1988 supporting development, ratification and testing of globally applicable standards for ICT-enabled systems, applications and services. The technical body that is relevant to confidential computing standardisation within ETSI is NFV-SEC. In one of the upcoming blog posts I will review the latest version of the NFV-SEC work item and what it brings to confidential computing standardisation.
Confidential Computing Consortium (CCC)
Last in this list is the Confidential Computing Consortium, the most recently founded out of the three. The CCC is an industry association and as such might not (yet) be widely recognised as standardisation body. However, it is entirely focused on this topic with work groups contributing both technical implementations, governance guidelines and market analysis. I will review the work done within the CCC in part 4 of this series.
Other standardisation bodies
There are other standardisation bodies or industry alliances that I did not include in the above list. For example, the Trusted Computing Group, the Cloud Security Alliance or the FIDO alliance. In case you consider that this should be corrected, feedback is welcome.
In the following posts in this series, I will dive deeper into work on standardising confidential computing done within IETF, ETSI and CCC, as well as CanaryBit’s contributions to that. In the meantime, if you want to know more about this technology or get tools to trust (and verify) your workloads just reach out to us though the contact form.